Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I make a Splunk query that generates stats ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:07 AM
Here is my current query:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?<account>\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
I am trying to get all failed logons grouped by account name on a daily basis, and generate statistics so that future behavior can be identified as anomalous. This query "works", but this part of the query...
|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(count<low_lim OR count>high_lim, count,0)
...generates the stats on all the accounts and not only on the specific account.
Early on in the query, I group it by account name, Date and host, but after eventstats, it generates statistics on all the accounts as if they are the same. I think this is very easy to fix but I can't seem to figure it out.
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-17-2018
11:48 AM
you should just be able to add by account at the end of your eventstats
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| rex ".*Account\sName:\s+(?<account>\S+)"
| eval Date=strftime(_time, "%Y/%m/%d")
| stats count by Date,account,host
| eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean by account
| eval iqr=p70-p30
| eval xplier=2
| eval low_lim=median-(iqr*xplier)
| eval high_lim=median + (iqr*xplier)
| eval anamoly = if(count<low_lim OR count>high_lim, count,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
12:25 PM
Yup that worked! Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bm1391
New Member
12-17-2018
10:23 AM
Switch the query to:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | rex ".*Account\sName:\s+(?\S+)" | eval Date=strftime(_time, "%Y/%m/%d")|stats count by Date,account,host|eventstats median(count) as median, p30(count) as p30, p70(count) as p70,mean(count) as mean **by account** | eval iqr=p70-p30 | eval xplier=2 | eval low_lim=median-(iqr*xplier) | eval high_lim=median + (iqr*xplier) | eval anamoly = if(counthigh_lim, count,0)
and It works...
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
